In recent years, malicious software developers have attempted to proliferate malware by creating software that automatically generates thousands or potentially millions variations of a single malicious file (often referred to as “polymorphic malware”). There are many ways to create such obfuscating variants. For example, polymorphic malware can self-mutate or be mutated by manual or automatic processes that are not contained within the threat itself, such as by a process running on a server hosting the malware. Because many existing anti-virus technologies detect malicious files by identifying a unique digital signature or fingerprint for each variation of a malicious file, conventional anti-virus technologies have struggled to protect computing resources from polymorphic-malware threats due to their inability to quickly and correctly identify the digital signatures for each of the potentially millions of variations of a malicious file.
Such deficiencies in conventional anti-virus technologies have lead to the investigation of alternative technologies. One promising area of development is in file “whitelisting,” a system in which only applications, files, or programs contained within a defined list may be accessed or executed by a computing system.
Security vendors may create whitelists either manually or automatically, such as through the use of web-spidering techniques. However, given the high number of new applications created and published on a daily basis, many security vendors have struggled with manually creating comprehensive whitelists. Moreover, many automatic techniques for creating whitelists only identify a portion of known legitimate files. Conventional automatic techniques are also prone to falsely identifying illegitimate files as legitimate, and vice-versa, further limiting the viability of a whitelist generated using such a technique.